CVE-2025-46548

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/akka/akka-management/pull/1385	Exploit Issue Tracking
https://github.com/apache/pekko-management/pull/418	Issue Tracking Patch
https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/06/03/7	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:pekko_management:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:akka:akka_management:*:*:*:*:*:*:*:*

History

02 Jul 2025, 14:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-03 15:15

Updated : 2025-07-02 14:19

NVD link : CVE-2025-46548

Mitre link : CVE-2025-46548

CVE.ORG link : CVE-2025-46548

JSON object : View

Products Affected

akka

akka_management

apache

pekko_management

CWE

CWE-287

Improper Authentication

{"id": "CVE-2025-46548", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-06-03T15:15:59.110", "references": [{"url": "https://github.com/akka/akka-management/pull/1385", "tags": ["Exploit", "Issue Tracking"], "source": "security@apache.org"}, {"url": "https://github.com/apache/pekko-management/pull/418", "tags": ["Issue Tracking", "Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/03/7", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.\n\n\nUsers that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.\n\n\n\n\nAkka was affected by the same issue and has released the fix in version 1.6.1."}, {"lang": "es", "value": "Si habilita la autenticaci\u00f3n b\u00e1sica en Pekko Management mediante el DSL de Java, es posible que el autenticador no se aplique correctamente. Se recomienda a los usuarios que dependen de la autenticaci\u00f3n en lugar de asegurarse de que los puertos de la API de administraci\u00f3n solo est\u00e9n disponibles para usuarios de confianza que actualicen a la versi\u00f3n 1.1.1, que soluciona este problema."}], "lastModified": "2025-07-02T14:19:10.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:pekko_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "100D0B74-D9C2-4DC2-B14E-25416E0A7B7B", "versionEndIncluding": "1.1.1", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:akka:akka_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "216EF615-CEA6-4CF7-8BE2-E215442B8935", "versionEndExcluding": "1.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}